IT Carve-Out Guide

TUM
TECHNISCHE UNIVERSITT MNCHEN

INSTITUT FR INFORMATIK
IT Carve-Out Guide
Florian Matthes, Alexander W. Schneider,

Christopher Schulz
TUM-I1229
Technischer
Technische Universitt Mnchen
Bericht
Institut fr Informatik
IT Carve-Out Guide
A manual for the separation of IT during corporate re-organizations
Florian Matthes, Alexander Schneider, Christopher Schulz
Software Engineering for Business Information Systems (sebis)

Chair for Informatics 19
Technische Universitat M
unchen
Boltzmannstrae 3, 85748 Garching bei M
unchen, Germany
wwwmatthes.in.tum.de
Abstract
A carve-out can be understood as the separation of one organization into two

independent entities. Thereby, this separation is always cross-functional,
hence happens, among others, on an organizational, financial, legal, and
technical level. In particular the latter aspect, i.e., the permanent splitting of Information Technology (IT), often poses difficulties for the involved
participants. One reason is the dual role IT has to assume in such an exceptional and oftentimes intricate situation. On the one hand IT continues
to cater to new business requirements while on the other hand it is itself
subject to a division. In any case, the targeted and efficient separation of
IT elements, like for instance services, processes, data, systems, projects, or
infrastructure, is essential given the increasing role those elements play for
the success of todays organizations.
As a matter of fact, the body of publicly available knowledge focusing on
IT separation during carve-outs is scarce. Opposed to Mergers & Acquisitions (M&A) sources explaining in detail how the IT can eventually be
consolidated, present carve-out literature refrains from providing concrete
guidance. In particular, existing sources lack a thorough approach facilitating the effective separation of the different IT elements.
Based on a case study we accompanied and a comprehensive literature survey we conducted, this document firstly lays a foundation on the role of
IT in the context of carve-outs. Secondly, it provides a framework consisting of nine workstreams which enable a step-by-step separation of the most
crucial IT elements. In doing so, this guide assumes a scenario where the
subsidiary and its former owner share the majority of IT elements, that is,
no transition to an independent IT takes place.
Contents
1 Introduction
1.1 Motivation . . . . . . . . . . .
1.2 Contribution . . . . . . . . . .
1.3 Target group . . . . . . . . .
1.4 Guide sources and compilation
2 Foundations
2.1 Definitions . . . . . . .
2.2 Participants . . . . . .
2.3 Drivers . . . . . . . . .
2.4 Course of action . . . .
2.5 Typification . . . . . .
2.6 Separation agreements
2.7 Role of IT . . . . . . .
2.8 IT carve-out strategies
2.9 IT cooperation model .
2.10 IT carve-out readiness
2.11 IT elements . . . . . .
2.12 IT data . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. . . . . .
. . . . . .
. . . . . .
approach
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3 IT carve-out workstreams
3.1 Legal . . . . . . . . . . . . . . . .
3.2 Organization and carve-out team
3.3 Software licenses . . . . . . . . .
3.4 Service contracts and projects . .
3.5 Security . . . . . . . . . . . . . .
3.6 Corporate-wide systems . . . . .
3.7 Local systems . . . . . . . . . . .
3.8 Infrastructure and networks . . .
3.9 System access rights . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4
4
4
5
5
.
.
.
.
.
.
.
.
.
.
.
.
7
7
7
8
8
10
10
11
12
14
14
15
16
.
.
.
.
.
.
.
.
.
19
21
23
25
27
29
31
35
36
38
4 Conclusion
41
5 Glossary
43
c TU M

unchen, sebis, 2012.
1
Introduction
1.1
Motivation
Undoubtedly, Information Technology (IT) represents one crucial pillar of a present-day

organization. In 2012, the majority of companies and public institutions rely on a stable technical backbone making their business both, more efficient and effective. Even
though typical investments for IT only account for around 3.4% of the annual revenue as
of 2008 [Sm08], a malfunctioning or even complete failure of IT would entail significant
damage for the business.
In the event of a carve-out, i.e., when de-merging organizational assets into a new subsidiary, the dimension of IT is equally affected [Le08, TM11]. Although carve-out situations are not the norm for many organizations, hence occur rather rarely 1 , knowing
which IT elements have to be separated in which way at what point in time helps reducing
risks while cutting overall project costs. However, as remarked by Bohm et al. recently,
the extant literature on both IT integration in acquisitions and IT carve-out processes
is limited [Bo11]. More precisely, the current body of knowledge lacks concrete guidance
steering the management of an IT organization through the intricate process of carving-out
elements of their IT.
1.2
Contribution
The present guide focuses on the dimension of IT within carve-outs. At first, a general
overview on this type of business transaction is given, covering, among others, definitions,
causes for carve-outs, as well as affected IT elements. Second, the document provides
tangible pointers on the separation of the different IT elements as well as means to prepare
their subsequent integration into a buying organization. This means, that objectives,
constraints, indications, and concrete activities are pointed out which are useful for the
sustained split-off of IT organizations, processes, and systems. Thereby, the knowledge base
this guide builds on originates either from the limited number of sources in the domain or
an extensive case study we as a research chair have accompanied between December 2011
and March 2012 at a German car manufacturer.
1
A Deloitte Corporate Finance study from 2010 suggests a total number of 12.000 carve-out transactions
with an overall volume of 600 billion US-dollar in 2009 [De10].
c TU M

Remark:
As made clear in the abstract, this guide focuses on an IT carve-out scenario in which the
subsidiary remains on the shared IT of the selling organization. Thereby, the seller and a
potential buyer are multi-business organizations, thus entities which encompass more than one
subsidiary.
1.3
Target group
The targeted readers of this document are twofold: First, IT management initiating a
carve-out program may use this guide as it contains practical help allowing to foresee and
ease potential stumbling blocks and pitfalls. Second, academics striving for a comprehensive overview on the topic should have a closer look on this document as it includes a
comprehensive collection of current literature in the realm of IT de-mergers. In identifying
blind spots, the document finally derives questions for future research projects addressing
researchers from the research domain of business informatics, software engineering, and
business mathematics.
1.4
Guide sources and compilation approach
In essence, this guide originates from two main sources: a thorough literature review as
well as a multi-faceted case study. While the discovered scientific knowledge forms a solid
foundation, most of the practical pieces of advice presented in this document have been
observed during the case study.
When embarking on IT carve-outs the first step of our research approach was to analyze
current literature on the respective topic. In total, 20 substantial sources examining IT
carve-outs have been studied from October to December 2011. We identified the literature
by applying backward and forward search in the scientific databases IEEE xplore, google
scholar, and citeseer. As keywords we applied the terms information technology, IT,
carve-out, de-merger, and separation in various combinations. The main results of this
survey are presented in Chapter 2.
Furthermore, we conducted a case study between December 2011 till March 2012. Thereby,
we observed and attended an actual IT carve-out project program undertaken by a German
car manufacturing company. During the research project, twelve expert interviews each
lasting for more than 120 minutes each have been conducted in order to externalize the
experts knowledge and lessons-learned about the experienced carve-out. The interviewees
came from different departments including legal, IT, infrastructure, and project management. In addition to these interviews, the entire project documentation has been perused
in order to extract and generalize the knowledge contained therein. This included, among
c TU M

others, slides and final reports from the selling organization, the subsidiary, and the buying
organization. The overall amount of time invested in this case study by the authors was
approx. 200 hours. The annonymized results form the core basis for the nine workstreams
outlined in Chapter 3.
c TU M

2
Foundations
The following sections set the stage for our guide. Besides basic terms and concepts,
literature sources are provided representing starting points to dive further into the realm
of (IT) carve-outs.
2.1
Definitions
According to Broyd and Storch [BS06], a carve-out
can be defined as follows:
Generally speaking, carve outs involve the separation of a set of related assets, which
are not strategic for the company but currently integrated in its operations, into a new
subsidiary. Third-party capital is then introduced into the new entity or it is sold entirely
to a strategic buyer.
Final outcome of a carve-out is a newly traded firm as pointed out by Michaely and
Shaw [MS95]. Further, the two authors differentiate between an equity carve-out and a
spin-off. In the former case, the subsidiary is sold by issuing parts of the stocks (usually
20% or less). This helps the selling organization to acquire new capital while retaining
control of its sold parts through the holdback of the majority of shares [Do12]. In the
latter case, which is also called spin out, all subsidiary shares are distributed among the
former stakeholders who can sell these shares to further investors [MS95]. In line with
Boehm et al. [Bo10], we denote the process of separating IT from its former company as
IT carve-out.
2.2
Participants
A carve-out involves at least two different organizations. More precisely, the participants
are:
1. Selling organization (abbr. seller), i.e., the selling entity which disposes distinct
parts of its assets.
1
Comprehensive information about carve-out synonyms and related terms like divestment, divesture,
demerger, and disintegration are provided in [Bo10].
c TU M

2. Carve-out object (abbr. subsidiary), i.e., the separated assets of the selling organization.
3. Buying organization (abbr. buyer), i.e., the purchasing entity in which the separated carve-out object will be integrated. It is possible to distinguish between buyers
with a strategic and a financial focus [MS95].
Even with no buyer intending to purchase the demerged entity, carve-outs are oftentimes
intricate transformation endeavors. The complexity increases tremendously if a third organization acquires the carve-out object given that additional inter-organizational communication channels, processes, and project structures have to be put in place. The fact that
the seller, the subsidiary, and the buyer are forced to continue their business operations
aggravates the already unfamiliar situation. Besides the daily business, the participants
now have to cope with carve-out as well as integration activities. However, these additional
work streams are not isolated but exert a significant influence on the usual operations of
the organizations.
2.3
Drivers
There are multiple business reasons resulting in a carve-out. Below a list of drivers causing
the permanent separation of a subsidiary. Additional information can be found in [Ca03,
Le08]:
Refocusing of the seller on its core business
Weak economical results of the carve-out object
Need for capital to pay off the sellers debts
Investing in alternative focus areas
Certainly, instead of carving out parts of the enterprise, the respective business unit could
undergo profound restructuring measures.
2.4
Course of action
In line with Fahling et. al. [Fa09], an ideal-typical carve-out consists of four sequential
phases as illustrated in Figure 2.1. A dedicated milestone separates a phase from its
predecessor and successor respectively. The carve-out of IT takes place in parallel to the
PreClosing, Transition, and PostCutting phase.
c TU M

Signing
PreSigning
Closing
PreClosing
Day One
Cutting
Transition
PostCutting
IT carve-out
Figure 2.1:& technischer

Phases of IT
carve-outs [Bo10]
Fachlicher, rechtlicher
Carve-out
Fachliche, rechtliche & technische Integration
Tochter aus Verkufer
Tochter in Kufer
During the PreSigning phaseBereitstellung

seller and buyer
negotiate
contract
details
andund
conjointly
IT-Services
durch the
IT des
Verkufers,
Tochter
Kufers
agree on the dates for the different milestones. Further, Mergers & Acquisitions (M&A)
consultants help in assessing possible synergies and determining an exact pricing. All collected pieces of information about the carve-out object are stored in a data room which
can be of virtual or physical nature and is hosted and maintained by the seller. Under
normal circumstances, the repository has to be provided to all potential buyers enabling
them to weigh short and long-term benefits of the purchase. Given the increasing importance of technology, IT relevant information has to be also stored in the data room [Bo10].
In doing so, financial and technological decision can be made on a more elaborated and
sophisticated decision basis. The signing of the contract finishes the phase, which is usually
characterized by a high activity level of the organizations legal departments.
Abstimmung
Abstimmung
Abstimmung
Rechtliche
The Project Management Office (PMO)
and related project structures
are set up in the
Technologische
Vorgabenformed IT carveUmsetzbarkeit
course of the PreClosing phase. Now
its also the time when a dedicated
out team starts to Informationsmark
those IT elements whichFachbereich
have to be logically or physically
sepaRechtswesen
technologie
rated. The phase ends with the closing
milestone. From the next day
onwards (also called
Fachliche
Fachliche
Anforderungen
Day 1), the carve-out object isAnforderungen
transferred to the buyer. The
change of possession is
accompanied by the legal (but not necessary technological) independence of the object
from the seller.
During subsequent Transition phase, the three organizations perform the lions share of the
separation and integration work. Throughout a very long and tedious period, the IT carveout team splits all previously marked IT elements and makes them available to the buyer.
A cutting milestone marks the phases end. From now on, seller and carve-out object have
an autonomous IT. This also holds true for any temporary IT service agreements which are
(with a few exceptions) terminated by mutual consent. If the businesses are already able
to operate independently from each other, one speaks of a standup situation [AA10].
Possible clean up and rework is done in the PostCutting phase. Especially the IT departments are often still in charge of rectifying temporary workarounds [Fa11]. Mostly, these
intermediate makeshift solutions have been adopted to either generate quick wins for business or comply with legal requirements. In any case: it is indispensable that IT considers
the requirements raised by legal as well as the participating organizations.
c TU M

2.5
Typification
Table 2.1 depicts three types of carve-outs as found in literature [Le08]. The distinguishing
factor is the treatment of the carve-out object once it has been separated from the seller.
In case the carve-out object is not directly acquired by the buying organization with the
dawn of Day 1, it becomes a legal and economical independent entity first. Sources
speak of a stand-alone carve-out [Le08] highlighting the autonomous trait of this form.
Stand-alone carve-out
Carve-out object as a standalone organization without
integration into the buyer
Merger carve-out
Joint venture carve-out
Fusion of two equipollent

Third party organization as buyer
organizations to a new
of the carve-out object
organization
Table 2.1: Types of carve-outs (inspired by [Le08])
Both, merger and joint venture carve-out necessitate explicit integration efforts after the
subsidiary has been detached 2 from its former company. Separating as well as integrating
parts of a company can be complex and intricate, especially when being performed in
very close succession. As shown in Figure 2.2, the two activities take place on a business,
legal, and technical level. On top of that, the participants all pursue their individual
and optimistically set carve-out and merger/joint-venture goals while being obliged to
maintain a fully functional IT. Different or even conflicting interests oftentimes affect the
relationship between the actors leading to an ambivalent atmosphere sometimes referred
to as co-optition by literature [Bo11]. For instance, whereas the seller might prefer to leave
the software licensing model of its separated business untouched, the buyer rather intents
to harmonize the licenses across all of its business divisions due to economies of scale.
Business, legal, and technical carve-out
of the subsidiary from the sellers organization
Business, legal, and technical integration

of the subsidiary into the buyers organization
IT departments of seller, subsidiary, and buyer provide IT-services
Figure 2.2: Core activities of a merger and joint-venture carve-out
2.6
Separation agreements
Even if the seller and carve-out object do no longer belong to the same organization,
there is still a high chance of interdependencies caused by, among other things, continuing
2
Authors like Cascorbi use the term desintegration when speaking of the activities inverse to an integration [Ca03]
10
c TU M

business relations. Most probably, the seller still offers (IT) products and services to the
separated entity until the latter is able to stand on its own feet. However, given that both
organizations may be in competition with each other, any type of relationship has to be
at usual market conditions while being made transparent to the legal authorities, thus will
stand up to legal scrutiny. Put differently, an arms length principle has to be applied
ensuring the condition or the fact that the parties to a transaction are independent and
on an equal footing [Wi12].
In general, an (IT) separation agreement between the two entities is valuable for establishing agreement on key issues [DW08]. Literature distinguishes between two different
types of legal documents applied in carve-out situations. As a legally binding document,
the Asset Transfer Agreement (ATA) defines which assets are going to be transfered to the
carve-out object [AA10]. Similarly, the Transition Services Agreement (TSA) states which
services the seller continues to provide to the new company during a limited period of
time [TM11]. Equally binding for the organizations, the well-defined and closely managed
document also comprises the associated costs as well as terms and conditions [AA10]. Generally, TSAs delay the actual separation at the expense of additional costs and reduced
flexibility [BESC07]. If they are applied, the participating entities should have reached
consensus even on nitty-gritty details. Further, the concept of a so-called black-list helps
to mark and memorize the subset of services, which should not be provisioned or requested
by the organizations [Bo11].
2.7
Role of IT
As discussed above, a carve-out is mostly business driven. However, structuring and managing IT in a carve-out transaction can turn out to be a very complex undertaking [TM11].
Consequently, concerned IT departments should be involved early on and with a high
degree of intensity [Le08]. Most perfectly, this involvement happens when the deal is
struck [TM11], i.e., before the carve-outs transition phase. In particular the crucial role
IT has gained over the last decades within organizations (IT as enabler instead of a
pure supporter of business needs [BESC07]) underlines the urgent need for including a
technology perspective right from the start of the carve-out activities.
However, despite the proliferating number of interdependencies between business and IT,
other dimensions should not be neglected. Among others, organizational, process, financial, strategical, and communicational aspects have to be taken care of as well (cf. Figure 2.3). Certainly, the separation and subsequent consolidation of one distinct dimension
is not performed in a vacuum. Instead, there exist cross-dimensional interactions with
other dimensions which have to be accounted for when advancing the desintegration and
integration work.
The phrase of Melvin Conway can be taken as a famous example for the reciprocal interaction between dimensions. Coined in 1968, the adage says that any organization that
c TU M

11
Business, legal, and technical carve-out

of the subsidiary from the sellers organization
Business, legal, and technical integration

of the subsidiary into the buyers organization
IT departments of seller, subsidiary, and buyer provide IT-services
PreSigning
PreClosing
Transition
PostCutting
Strategy
Financial
Legal
Products
Organization
Processes
Information Technology
Communication
Figure 2.3: IT as one dimension of a carve-out
designs a system (defined broadly) will produce a design whose structure is a copy of the
organizations communication structure [Co68]. What would later just be called Conways
law describes the phenomenon that the communication dimension of an organization has
a bearing on its IT. Hence, a business model which imposes a decentralized organization
structure almost inherently entails a decentralized application landscape.
2.8
IT carve-out strategies
Given the legal separation of selling organization and subsidiary being acquired by another
entity, three different strategies for the IT can be distinguished:
1. Retention: IT remains at the parent company.
2. Transition: IT of the acquiring company is used.
3. New-build: IT is built from scratch.
Due to different reasons such as costs, estimated time, and potential risks the new-build
strategy can be neglected. As a consequence, the selection of an IT strategy is restrained
to two alternatives: use the sellers IT or use the buyers IT (cf. Figure 2.4). In addition,
the IT strategy has to define whether the required IT will be cloned by physical separation or if a shared use model will be pursued. Shared IT with the seller often leads a
logical separation due to legal reasons. All three strategies can also be combined which is
called best-of-breed or cherry-picking [Sc11]. Thereby, one part of the required IT can be
implemented from scratch while other parts are shared or duplicated.
12
c TU M

Products
Organization
Processes
Information Technology
Communication
IT
carve-out & integration
IT
selling organization
IT duplication
IT sharing
IT
new-build
IT
buying organization
IT duplication
IT sharing
Figure 2.4: IT strategies for carve-out and subsequent integration
For a stand-alone carve-out without an acquiring organization and therefore no IT integration, of course the choice of IT strategy is limited to retention and new-build.
The selection of an IT strategy results in several technical and organizational consequences
for seller, carve-out, and acquiring organization. These consequences are not limited to
the respective IT departments but affect also business units. Table 2.2 list some common
consequences for the previously described IT strategies. Thereby, there is no distinction
between shared IT and cloned IT and also a combination of strategies is not addressed.
Strategy
Selling organization
Transition Data extraction
New-build Data extraction
Subsidiary
Buying organization
Business & IT staff training IT adjustements

Business process
Data import
adjustments
Business & IT staff training Interface development
Business process
adjustments
Data import
Interface development
Interface development
Retention Data access separation
Table 2.2: Types of carve-outs (inspired by [Le08])
The implications of a selected IT strategy can affect the involved entities to a different extent. Therefore, target conflicts can emerge which should be considered by the participants
in advance before the divergence in demands will be negotiated.
c TU M

13
Signing
Closing
PreSigning
2.9
Day One
PreClosing
Cutting
Transition
PostCutting
IT carve-out
IT cooperation model
IT processes
Licenses
Data
IT projects
Cross-organizational projects are Business

the mainprocesses
driver of any carve-out. Thereby, each single
initiative is carried out by the members of the business, legal, and IT departments. Given
services
that the separation of IT is not anIT end
in itself but rather a consequence of SLAs
an informed
business decision, it is the business which has the obligation to take the lead in advancing
IT assets
the carve-out project program. Of course,
this also includes the support of IT in the best
possible way in particularGlobal
if legal
requirements
impose severe
technical constraints.
IT systems
Local IT systems
Figure 2.5 sums up the ideal model of cooperation. Obviously, business plays a pivotal
role. Not only it is in charge of providing sufficient staff who is committed to formulate
infrastructure
and networks
its demands to IT and legal. In ITaddition,
business
also needs to liaise with the legal
departments to translate their requirements into a business language better understandable
for IT. Each legal demand is captured by business which then passes on an adapted (i.e.,
IT organization
for engineers understandable) version to the IT departments. Vice versa, IT communicate
their technical constraints to business. After having acknowledged them, business forwards
them in a comprehensible form to the members of the legal departments.
Legal
constraints
Technical
constraints
Informationtechnology
Business
Business
requirements
Legend
Inter-organizational coordination
Legal
Business
requirements
Intra-organizational coordination
Figure 2.5: Ideal model of cooperation between business, legal, and IT
Next to the intra-organizational cooperation between the three entities, a carve-out always
necessitates an inter-organizational coordination. This fact is accounted for by the overlapping rectangles and the directed loop, both depicted in Figure 2.5. However, before
interacting with its respective counterpart, the three departments business, legal, and IT
should be internally aligned, thus speak with one voice to the respective other organization. Against this background, the situation where one IT organization acts as a mediator
between the two business departments should be avoided. Instead, the business departments have to come to an agreement before handing down their coordinated requirements
to their respective IT units.
2.10
IT carve-out readiness
In order to smooth a prospective IT carve-out, proactive actions can be carried out even
before the PreSigning phase begins. For example, during the development of new software
14
c TU M

or changes to existing software, multi-tenancy capabilities can be emphasized. In addition,

the documentation of the as-is IT architecture can always be kept up-to-date. As a result,
during the transition phase the to-be architecture and the transition to it can be focused.
With an IT carve-out readiness companies achieve their associated targets more quickly
and more efficiently.
However, the IT carve-out readiness has its price which has to be payed by the company
in advance. Thereby, a balance between anticipatory work and reactive action has to be
found. Additional benefits can be realized if synergies to currently running IT projects
concerned with similar questions can be identified. The business strategy and its derived
IT strategy should always provide a frame for the IT organization and define guidelines.
2.11
IT elements
Within this guideline we use a common separation for IT which is visualized in Figure 2.6.
Thereby we distinguish between IT assets, IT organization, and IT processes as well as IT
projects. The IT assets are further divided into technical parts such as IT infrastructure and
networks, IT components, and local as well as global IT systems. Thereby, IT infrastructure
comprises all physically existing hardware, e.g. network, hard discs and switches, whereas
IT components, e.g. operating systems, database management systems and application
servers, form reusable building blocks for IT systems.
Signing
Closing
Day One
Cutting
All kinds of IT assets can be acquired physically or by license. They are operated by IT staff
and IT processes and they are changed by IT projects. The quality of services provided by
PreSigning
PreClosing
Transition
PostCutting
IT assets is determined
in respective
Service Level
Agreements
(SLAs) which are negotiated
between service provider and service consumer. Service consumers are business units as
IT carve-out
well as the IT department itself.
Business processes
IT services
SLAs
Global IT systems
IT processes
Licenses
Data
IT projects
IT assets
Local IT systems
IT infrastructure and networks
IT organization
Figure 2.6: IT elements affected by a carve-out

Legal procedural, and organizaWhen a carve-out takes place,Technical
it is accomplished in the technical,
constraints
constraints
tional sense. InformationsTherefore, logical separation, physical separation, duplication or reconstrucBusiness
technologie
c TU M

unchen, sebis, 2012.Business
requirements
Legend
Inter-organizational coordination
Legal
Business
requirements
Intra-organizational coordination
15
tion has to be established for all interrelated IT assets introduced before. Furthermore,
already started IT projects and licenses have to be reevaluated. Thus, the more detailed
information about the existing IT assets of the parent company is available, the better the
decisions about the carve-out companys IT. In other words, a good documentation of the
as-is IT architecture eases the design of both to-be IT landscapes. By contrast, if information about the actual IT is rarely available the time-consuming and resource-intensive
homework of documenting has to be done before carve-out decisions can be made.
2.12
IT data
As pointed out in Figure 2.6, within an organization data plays a cross-functional role.
While it is kept physically by the IT infrastructure (e.g., hard disc, magnetic tape), IT
systems run calculations on it or display the respective results on the screen. In turn, IT
services allow users to make changes, hence inserting, deleting, or updating.
In a carve-out, all those data becomes critical which is exclusively attributed to either
the selling or the buying organization. Hence, during and after the carve-outs execution,
the access to critical data has to be granted to seller or buyer respectively. Table 2.3
proposes a exemplary set of qualitative criteria determining the criticality of a certain data
class. In combination, the two columns data class and criticality criterion constitute
a data classification scheme. In each carve-out, the schema has to be conjointly worked
out by the business and legal departments of the participating entities accounting for legal
particularities and specific business constraints.
If at least one carve-out participant classifies certain data as being critical, all IT systems
which store this particular data must be considered as being critical, too. Once an IT
system is marked critical, logical or even physical separation becomes mandatory. The
separation of the data, which inevitably comprises the separation of IT systems, has to be
performed in a bi-directional manner. Consequently, it has to be ensured that
1. the seller cannot access the data of the carve-out object any longer, as well as
2. the carve-out object has no longer the possibility to retrieve the data from its former
parent organization.
Generally, its the task of the IT departments to decide how the separation is actually
realized. Whereas a physical separation (i.e., technical split of hardware) always implies a
logical one (adjustment of software), the other way around is not the case. Of course there
are exceptional cases making the separation of IT systems obsolete. For instance, in many
occasions user specific contact data (e.g., Outlook address lists) can remain in the same
non-separated IT system as long as all users of this system sign a dedicated non disclosure
agreement.
16
c TU M

Data class
Personal data
Criticality criterion
Critical according to the organizations' guidelines and/or data protection
regulations of the governments
Critical if data is kept in a personal data IT system (person's name in conjunction
with birth date, salary, biography, etc.)
Not cricital if data reveals general communication details (e.g., e-mail
addresses, company phone number, user identification)
Critical if classified as being critical by at least one of the participants due to

business interests
Critical if data is considered confidential or secret
Organizational
Critical if data is internal but business departments decide it has to be accessed
data
exclusively
Not critical if data is publicly available
Critical if data allows conclusions about non-public information of an
organization's competitive behavior, business areas, internal details (e.g.,
purchase price, order quantity, delivery conditions, investments, research)
Anti-trust data
Critical if data has to be treated confidentialy in regards of a third party (e.g.,

supplier product design data, testing results, delivery reliability)
Critical if data reveals information about the quality of third parties' products and
Third-party data services (e.g., quality reports)
Table 2.3: Example for a data classification scheme
c TU M

17
18
c TU M

3
IT carve-out workstreams
The workload of an IT carve-out where the subsidiary remains on the sellers IT can be
separated into nine distinct workstreams. As visualized in Figure 3.1 the topic-centric
streams start in different phases of the carve-out project. This guide subdivides each
workstream into the four sections objective, constraints, pieces of advice, and course of
action.
PreSigning
PreClosing
Transition
PostCutting
Legal
Organization
Licenses
Services
Security
Corporate-wide
Local
Infrastructure
Access rights
Figure 3.1: Ideal carve-out workstreams timeline
Within each workstream depicted in Figure 3.1 the respective tasks are accomplished by
different actors. For example, the tasks within the legal workstream have to be performed
by the legal department. A holistic overview of the main actors involved during the nine
workstreams is presented in Table 3.1 wherein each actor or group of actors is briefly
described and linked to each workstream in which they play a major role.
The next part of this guideline successively describes the nine workstreams and their enclosed activities. Their content mainly stems from the generalized and abstracted findings
we gained when examining the case study. Despite our efforts to mirror this practice-proven
knowledge to the extant literature, we could only find few sources which strengthened our
observations.
c TU M

19
Actor/department
Auditor
Description
Workstreams
An individual qualified to conduct IT audits, Infrastructure and networks
thus assess IT solutions regarding their
conformance with legal or organization
specific regulations. Auditors can be of
organization internal or external nature.
Organizational part of a company or public

institution responsible for all business
Business department affairs. In taking the lead of the carve-out
project, a business deparment regularly
liases with the IT and legal department.
A third-party organization that provides
External IT service
some kind of IT services (e.g., storage
provider
communication, processing service).
A group of experienced professionals
coordinating the step-wise separation of IT
elements. With not more than 20 members,
IT carve-out team this team consists of employees from all
involved IT departments while directly
reporting to their (IT) management.
institution responsible for all IT related
affairs. In carve-outs, IT is separated
through the smooth interplay between the
IT deparments of seller and subsidiary.
IT department
Legal
Organization and carve-out team
Corporate-wide systems
Service contracts and projects

Local systems
Infrastructure and networks
Software licenses
Corporate wide systems
Local systems
System access rights
Legal
Security
Local IT systems
IT employee
Member of the IT department of either the Corporate-wide systems

seller or subsidiary organization. He/she is Local IT systems
in charge of implementing the IT separation. Infrastructure and networks
IT system
administrator
A person who manages a set of IT systems Corporate-wide systems

in an organization. He/she is involved with Local IT systems
operation system and hardware installations
/ configurations besides system installations
and upgrades.
IT system owner
Legal department
An individual who acts as the main contact

point for information about an IT system.
For instance, he/she provides details about
the system's interfaces, users, lifecycle, and
maintenance costs.
institution responsible for all juridical affairs.
In carve-outs this unit has to be particularly
versed in anti-trust laws.

Local IT systems
Legal
Table 3.1: Main carve-out actors and their fields of activity
20
c TU M

3.1
3.1.1
Legal
Objectives
The core objective of this workstream is to develop an obligatory legal framework expressed
by concrete principles and guidelines. This framework is binding, thus have to be taken
into account by all other workstreams. Furthermore, mechanisms for legal reviews are
elaborated. They are used to assess the IT solutions being developed in course of the
carve-out in respect to their conformity to the framework.
3.1.2
Constraints
Continuous and pro-active collaboration of the legal departments during and after
the carve-out.
3.1.3
Pieces of advice
Early involvement of IT and business departments already during the PreSigning

phase of the carve-out.
Business units liaise with legal as well as IT departments, thus act as a mediating
element.
If intermediate steps are planned to realize the final IT scenario (e.g., transition to
the IT of the buyer), the legal departments have to define distinct legal frameworks
for each of these steps. In particular, deadlines, disclosures, and permissions have to
be part thereof.
3.1.4
Course of action
1. The legal departments of selling, buying, and carved-out organization collectively set
up a legal framework for each single workstream. The framework comprises relevant legal guidelines and principles (cf. Table 3.2) while incorporating the national
legislation of the participating organizations.
2. The legal departments of all involved organizations conjointly define different mechanisms which determine how the developed IT solutions elaborated in the workstreams
are validated according to the established framework.
3. The business departments of involved organizations derive IT requirements from the
legal framework (e.g., required separation of data).
c TU M

21
Workstream
Tasks
Legal
None
None
Software licences
Assist the procurement departments with the jurdical

validation of software licence transfers

Security
Design and structure IT service contracts (in particular if

subsidiary relies on the sellers' IT systems after the transition
phase has ended)
None
Develop a data classification scheme allowing to determine

if a physical or logical separation of an individual IT system
has to take place from a jurdicial point of view
Local systems
cf. corporate-wide IT systems
Infrastructure and network
Devise, negotiate, and agree upon temporary network and

infrastructure solutions employed during the transition phase
Validate user access rights for each IT system - data object

combination
Table 3.2: Tasks of the legal departments
4. The IT departments (in the role of a business unit) derive requirements regarding
the set of IT systems they are using to provide IT solutions and services (e.g., user
account management platform, development environment system).
5. The legal departments accompany the IT carve-out from a juridical stance on an
ongoing basis. They frequently validate IT solutions with regards to the established
legal framework and act as a primary contact for legal questions.
22
c TU M

3.2
3.2.1

Objectives
The main objective of this workstream is to set up a new IT organization affiliated to the
subsidiary. Additionally, an IT carve-out team has to be formed by recruiting capable
employees from all involved organizations. The goal of such a dedicated task force consists
in identifying all separation/integration tasks, prioritizing and ordering them, allocating
necessary resources, and orchestrating their execution. Last, the workstream addresses
organizational bottlenecks. The increased workload, caused by the inevitable integration
and separation activities, can be eased by employing external professionals.
3.2.2
Constraints
3.2.3
Pieces of advice
Establishing a clear organizational IT structure very early in the carve-out is vital

for the success of the transformation [DW08]. If needed, new hardware technicians
and/or IT system specialists are transferred to the subsidiary or are newly hired.
In the long run, the newly created IT department of the separated organization
should be able to independently run and change their IT [BESC07]. Even if the
sellers IT is still used, sufficient IT skills and knowledge have to be available on the
subsidiarys side, e.g., for IT support and modification of local IT systems.
Given that a carve-out is always an unstable and insecure period for its participants,
it is crucial to prevent an organizational brain drain, i.e., the increased quitting of
key staff uncertain of its future position. Good change management practices [Fa11]
coupled with continual communication [BESC07] helps reducing the risk of loosing
high potentials.
The IT carve-out team should avail of its own budget highlighting its autonomy and
degree of assertiveness.
The IT carve-out team should work closely with the business departments. Preferably, business also establishes a carve-out unit acting as a counterpart.
External professionals can prevent resource bottlenecks and compensate for knowledge deficiencies. However, these specialists do not have a quorum and need to be
accompanied and monitored by in-house staff.
Regarding their educational background, external professionals do not necessarily
need an IT graduation. Experts from the business and legal department who draw
on substantial IT knowledge and experience are equally suitable.
c TU M

23
3.2.4
Course of action
1. All participating organizations appoint internal experienced professionals to be part

of the newly created IT carve-out team whose size should not exceed 20 persons.
It is advisable, that the subsidiary takes the lead, thus is in charge of pushing the
separation process [DW08].
2. The IT carve-out team sets up a subsidiary IT organization preferably already during
the PreSigning phase. Due to the high occurrence of legal and organizational specific
questions it is advisable to make knowledgeable representatives of IT security as well
as lawyers part of the team.
3. The IT carve-out team regularly reports on the status of the carve-out. In this vein,
IT management remains updated about possible hold-ups and budget killers.
4. The carve-out team organizes trainings and hands-on sessions to impart the (mostly
tacit) knowledge and skills of the sellers IT department (e.g., IT system key users,
infrastructure administrators) to employees of the subsidiary.
24
c TU M

3.3
3.3.1
Software licenses
Objectives
The main objective of this workstream is the reorganization of the sellers software licenses.
Basically, the software is required to render the IT services to the business departments.
A reorganization includes
a reallocation of software licenses for the selling company as well as
a potential new allocation for the subsidiary.
In terms of this guide, a software license can be defined as the permission a licensor grants
to a licensee, allowing the latter to run the licensors software on desktop PCs, notebooks,
mobile devices, or in data centers.
3.3.2
Constraints
Within this workstream, licenses for embedded software are disregarded (e.g., machine control software).
3.3.3
Pieces of advice
Although software licenses, especially at the beginning of a carve-out, seem to have a

limited monetary impact on the overall carve-out project budget, their disregarding
and violation might incur enormous costs in the long run. Among others, possible negative implications are contractual penalties as well as injunctions of software
vendors.
For the continuous collection of information about currently operating IT systems
and their related licenses commercial configuration and inventory tools can be of
valuable service (e.g., Symantec Altiris).
The contracts between licensor and licensee should contain dedicated change-ofcontrol clauses. Such clauses govern eventual changes in the ownership or usage
relationships of the software license occurring especially in M&A and carve-out scenarios.
3.3.4
Course of action
1. The IT carve-out team gathers information about the as-is state of the selling organizations software licenses and stores this data in a license repository. The repository
c TU M

25
keeps the number of actual users while leaving aside the actual softwares place of
installation.
2. The IT carve-out team determines the to-be state of software licenses for the selling
organization. If requested, the team additionally describes the to-be state for the
subsidiary.
3. The IT carve-out team delivers the as-is state as well as the to-be state(s) to the
respective procurement department(s). The latter is then responsible for taking
appropriate measures in order to comply with legal requirements. For example, this
includes contacting the licensor for renegotiating the software licenses.
26
c TU M

3.4
3.4.1

Objectives
The main objective of this workstream is the negotiation and conclusion of IT service
contracts for the subsidiary. An IT service is made up from a combination of people,
processes, and technology [OG07] offered by the IT department to the business. To define
its provisioning quality distinct SLAs, which are part of the contract, are used. After
the carve-out, an individual IT service can be rendered by either the seller or an external
provider. Besides the services and their contracts, underlying IT support structures (e.g.,
help desk, 1st-level support) as well as ongoing and planned IT projects are reorganized
within this workstream.
3.4.2
Constraints
The negotiation of IT service contracts between selling organization and subsidiary

have to comply with the arms length principle [Wi12].
The involved IT departments of seller and subsidiary are able to measure their service
levels for both provided and received IT services (IT service monitoring).
3.4.3
Pieces of advice
In case the IT systems of seller and subsidiary remain identical after the carve-out,
the IT services delivered by those systems are homogeneous as well (IT strategy
retention, cf. Chapter 2). Nevertheless, the associated SLAs may vary.
To foster a final and definitive separation of selling organization and subsidiary, the
subsidiary should have the possibility to negotiate and sign its IT service contracts
by itself.
Since the relationship between seller and subsidiary changes with Day 1 of the carveout, the IT service contract negotiation process has to be altered accordingly (e.g.,
dedicated contract template for IT services).
The negotiation and contractual arrangement of international or intra-organizational
cost allocation for IT services requires expertise in various fields, among others, taxes,
legal, and compliance. A mere IT service definition from an IT perspective is thereby
not enough. All negotiated services have to be based on a clear cost model [DW08].
The IT support structure may or may not be physically identical for selling organization and subsidiary.
c TU M

27
The grouping of IT system development and maintenance contracts avoids additional

administrative effort for both, seller and subsidiary. The bundled contracts, implying
the launch and execution of different IT projects, are negotiated and signed centrally
between two single representatives of the organizations.
3.4.4
Course of action
1. The IT carve-out team analyzes and determines all IT services which are required
by the subsidiarys business units. Thereby, the team distinguishes between services
which will be provisioned by
(a) the selling organization and
(b) external service providers.
For both types, the carve-out team documents the to-be state with the help of an IT
service catalog.
2. The legal departments acting in agreement with taxation and controlling draw up
contracts between seller and subsidiary for all to-be IT services and IT projects
provisioned by the sellers IT department. Subsequently, the sellers IT and the
subsidiarys procurement department sign these time-limited contracts. Instead of
signing multiple individual contracts, it is also possible to agree upon a framework
contract consisting of several individual agreements.
3. The subsidiarys procurement department independently negotiates and signs further
IT service contracts with external service providers.
4. The IT system owners of the selling organization adjust their system maintenance
and development plan in order to reflect the actual distribution of costs. As long
as using the IT services of the former mother, the subsidiary is also charged for any
modifications done to the respective IT systems.
5. The IT carve-out team instructs an IT services and projects contact person, for either
the seller and the subsidiary. After the transition phase, these two contacts are in
charge of adjusting and renegotiating the IT services and projects contracts against
the background of new internal and external conditions.
28
c TU M

3.5
3.5.1
Security
Objectives
The main objective of this workstream is to develop a compulsory IT security framework

which, in the form of concrete policies and guidelines, will be respected within the other
workstreams. In addition, the cross-functional workstream provides mechanisms employed
to monitor the degree of adherence to the IT security framework. The principal focus is
put on the security compliance of group-wide/local IT systems, networks, infrastructure,
and data.
3.5.2
Constraints
Exchange and mutual acceptance of the IT security framework of seller and buyer.
The IT security departments liaise with the legal, internal audit, and data protection
department. Legal requirements need to be translated into IT requirements.
Any IT solution has to be at least in its concept/design phase if it undergoes an IT
security check.
3.5.3
Pieces of advice
An IT security employee should be member of IT carve-out team. His/her level of

involvement varies throughout the carve-out transition phase.
In principle, a temporary violation of the IT security framework is possible. However,
this intermediate period requires a special permit of the IT security departments of
all involved organizations.
A carve-out leads to changes of an IT which has been previously in line with the IT
security framework. Against the backdrop of external attacks treating the organizations businesses, any intermediate IT state has to be cross-checked by employees of
the IT security departments regarding open leaks and vulnerabilities.
3.5.4
Course of action
1. The IT security departments of the affected carve-out organizations jointly review

and asses their IT security policies focusing on gaps and potential conflicts.
2. The IT security departments monitor the IT solutions being under development
regarding their degree of conformance to the IT security framework. Possible means
to perform this task are audits, repeated inspects, and CERT based scans.
c TU M

29
3. The IT security departments constantly advises and support the IT departments

on all questions dealing with the adherence to the security framework. Main target
group of these consulting and assistance activities are all the number IT architects
who require help in interpreting and applying the IT guidelines and policies.
30
c TU M

3.6
3.6.1
Objectives
The objective of this work stream is to plan the technical separation of corporate-wide
used IT systems. In particular, the main focus is put on systems operating on data shared
together by selling company and subsidiary. The final outcome is, that selling organization
and subsidiary have exclusive read and write access permissions to their own data even if
the underlying IT systems are still commonly used.
3.6.2
Constraints
The subsidiary follows the IT system migration roadmap of the selling organization,
i.e., there are no different IT system versions for subsidiary and seller in parallel.
The cost for any IT system customization must be fully funded by the requesting organization. An exception are all adjustments which are imposed by legal constraints.
3.6.3
Pieces of advice
The type of data separation depends on the specific data stored in an IT system.
Generally, logical and/or physical separation are possible.
Country-specific legislation and company specific guidelines determine whether the
data of an IT system has to be considered critical, thus needs to be separated.
Starting on the level of IT systems (not business/IT capabilities, services, or infrastructure) is suitable for identifying the need for a data separation.
To pro-actively ease a potential data separation already in the IT system development
phase, technical access and interface mechanisms should be put in place.
Prior to the separation of an IT system, it is recommendable to check whether confidentiality agreements, functional process adjustments, or process outsourcing could
replace the costly split-up.
3.6.4
Course of action
Identification
1. The IT carve-out team identifies those IT systems that will be used by selling organization and subsidiary after the carve-out transition phase is completed [La09]. All
c TU M

31
Shared ITSystem?
Yes
Data type?
Personal
Company
No
AntiTrust
ThirdParty
Critical
data?
Yes
No
Separation without
system changes?
Yes
No
a) NDA
b) Process adaptation
c) Process outsourcing
a) Logical separation
b) Physical separation
Final state
Decision
Figure 3.2: Decision tree for IT system separation
candidates need to be retained in a separate repository. In a nutshell, the following

Technologische
?
Abstimmung
three identification
methods can
be applied:
und rechtliche
Rechtliche
Umsetzbarkeit
Vorgaben
Fachliche
bersetzte
Top-down questioning
of participating business departments (starting point for
InformationsFachbereich
Rechtswesen
technologie
discussions are business
processes and their supporting IT systems).
Bottom-up
questioning of IT system
owners as well as local IT departments
fachliche
Anforderungen
Anforderungen
which embed the system in a technical
context (e.g., network and firewall).
Analysis of secondary sources, for instance, EA management tools. Depending
on the EA data quality, the gathered information possibly needs to be doublechecked with respective experts from IT and business departments.
2. The IT carve-out team prepares carve-out system forms for the business departments
of selling organization and subsidiary (see example in Appendix 5). If possible, the
form also includes the total number of users and administrators as well as the different
user types (external, internal). The form focuses on a single-system view. Hence,
interfaces and interconnected systems are not considered.
Classification and analysis
1. The business departments of seller and subsidiary decide on the data classification
and its criticality for all shared IT systems with their signature on the respective
carve-out system form. If the data (and therefore the system) is considered critical,
they both explore the option of separating the data without changes to the IT system
(see Figure 3.2). The type of separation is decided based on the following sources:
corresponding carve-out system forms, business departments knowledge about data,
type and number of system users, and data usage. The carve-out system forms of all
non-critical IT systems are archived.
Note: Instead of marking data and related IT systems generally as critical, it is
advantageous for the subsequent implementation to define the criticality on a more
32
c TU M

fine-granular level (for example on an attribute level). In consequence, a costly allor-nothing separation will be prevented.
2. The IT carve-out team centrally signs an analysis and development contract with the
owners of the critical IT systems. An analysis includes a thorough system analysis
(data access perspective: seller - subsidiary and subsidiary - seller) and results in a
functional specification.
3. The functional specification is accepted or rejected by the legal departments.
4. The IT system owners draw up a time, cost, and resource estimation and assign the
task of implementing the functional specification to IT employees.
Note: The type of an IT system separation is, among others, contingent on the number and types of users (internal, external) as well as usage patterns (see Figure 3.2).
In some cases, it is possible to make use of quick and inexpensive auxiliary solutions,
for example by:
(a) Signing confidentiality agreements by the users
(b) Adapting business processes and as a consequence the user groups
(c) Outsourcing the IT system supported business process(es)
The technical and/or legal feasibility of each individual solution should be assessed
in that order. IT system administrators play a special role, since they are granted
access to all data even after the separation. An additional solution must be prepared
for them, for example by signing confidentiality agreements.
Implementation
1. The IT system owner and the assigned IT employees implement the system changes
by means of IT projects. Thereby, the protection of organization-specific data has to
be bidirectional:
(a) Protection of the selling organizations data against unauthorized access from
the separated subsidiary
(b) Protection of the subsidiarys data against unauthorized access from the selling
organization
Note: In particular, the protection of the subsidiarys data against the seller can
possibly be time and cost consuming, since this type of separation applies usually
only in carve-out situations. In contrast, the protection of the sellers data against
external entities happens more often (e.g., when cooperating with third-party service
providers).
The following aspects have to be taken into account in case of a logical IT system
separation:
c TU M

33
(a) Logical separation of data through the introduction of a subsidiary-specific discriminator in the IT system, if technically feasibly.
(b) Separation of common user groups.
(c) Allocation of new user-identifications (user IDs) with data read and write access
permissions for the employees of the seller and subsidiary.
Note: Rather than to create new user identifications, it is possible to adapt read and
write access permissions of existing users to reflect the new organizational situation.
2. Both business and legal departments inspect and approve the modified IT systems.
34
c TU M

3.7
3.7.1
Local systems
Objectives
The main objective of this workstream is the separation of the local IT systems, i.e., on-site
applications which will still be used by seller and subsidiary after the carve-out. In line with
their corporate-wide counterparts, the aspired target state is that selling organization and
subsidiary have exclusive access to their organization-specific data. The following sections
discuss subtleties decisive when separating local IT systems.
3.7.2
Constraints
In the process of separating local IT systems and in particular data classification, local
legislation has to be closely taken into consideration. For example, the treatment of
personal data is restrictively regulated in Germany.
3.7.3
Pieces of advice
If external service providers are involved in the IT system separation process (concept
development, realization) additional examination of the progress and outcome quality
has to be ensured (i.a., by the carve-out team). The main reason behind this measure
is the danger of a know-how monopoly these external providers may obtain regarding
the local systems.
In particular for local IT systems, often used exclusively on-site by a limited amount
of users, it is recommended to use Non-Disclosure Agreements (NDAs) to circumvent
technical modifications in these systems.
NDAs are not a panacea as they do not resolve organizational inter-dependencies.
Their drafting requires the participation of both legal departments akin to the approach in corporate-wide IT systems.
3.7.4
Course of action
The approach is equal to the activities undertaken when separating corporate-wide

IT systems.
c TU M

35
3.8
3.8.1

Objectives
The objective of this work stream is the logical separation of the subsidiarys infrastructure
from the selling organization. While the term infrastructure refers to the physical hardware (server, switches, clients, communications technology), the term network denotes the
different types of computer networks (e.g., WAN, LAN, WLAN).
3.8.2
Constraints
A logical separation requires defined authentication and authorization mechanisms

to the infrastructure of the involved organizations. To ensure information security, a
need-to-know principle should be applied using, for instance, a Public Key Infrastructure (PKI).
3.8.3
Pieces of advice
A modular infrastructure of the selling organization facilitates the separation.

A centralized, uniformed, and up-to-date documentation of IT systems (e.g., through
technical Unified Modeling Language (UML) deployment-diagrams), the corresponding infrastructure elements, interfaces, physical access gates, as well as their business
usage speed-up the separation of infrastructure and networks.
To ensure the subsidiarys access to IT systems of the selling organization (cf. Section
2.8: retention as well as shared usage), the number of dedicated network connection
points should be minimized and secured, for example through firewalls.
Logical network separation requires dedicated knowledge about the extraction of
IP-addresses used for the implementation of firewall rules. However, the more finegrained the set of rules, the more accurate the access control. In contrast, fine-grained
rules always require a more complex change process for the firewalls. This process is
even more intricate, if a buying organization is involved.
In the long run, the implementation and continuous execution of a crossorganizational change process mostly likely turns out to be difficult. This is
particularly the case when there are third-party stakeholders involved (e.g., external
IT service providers, auditors).
36
c TU M

3.8.4
Course of action
Note: The activities 1-4 are only apply, if the corresponding information about infrastructure and networks is not yet available or in poor quality.
1. The IT carve-out team identifies and documents for all IT systems used by the
subsidiary the associated infrastructure elements as well as existing networks (Open
Systems Interconnection (OSI)-model Layer 2 and 3).
2. The IT carve-out team carries out an IP-address analysis for each shared IT system
taking on an IT system-centric view.
3. The IT carve-out team carries out a communication analysis in the selling organizations network to identify additional IP-addresses (infrastructure-centric view).
4. The IT carve-out team examines security weaknesses in the sellers networks and
assuming an administrator as well as an end-user role (security-centric view).
5. The IT carve-out team develops a network solution (e.g., through firewalls) based on
the identified IP-addresses and IT system user data. The solution should enable an
unidirectional access for the subsidiary to the selling organizations network. When
realizing this type of logical separation, it has to be guaranteed, that:
(a) Only the subsidiary has the possibility to access the networks of selling and
buying organization. Moreover, the access has to be restricted only to the
needed IT systems (need-to-know principle).
(b) The legal constraints and corporate policies of all three organizations are obeyed.
6. The IT carve-out team commissions the IT departments of the involved organizations
to design and roll out a change process to keep the network solution always up-to-date
(e.g., adaptation of firewall rules). In case of an IT system change (e.g., adaptation
of business logic), adjustment of infrastructure elements (e.g., relocation of servers),
or specific requirements of the involved organizations (e.g., introduction of new user
roles) this process will be carried out. The design of that process is mutually agreed
between all participating IT departments as well as potential IT providers.
7. The IT carve-out team consults the subsidiary in the migration of infrastructure
elements and its network.
c TU M

37
3.9
3.9.1

Objectives
The core objective of this workstream is to adapt the user access rights of corporate-wide
and local IT systems.
3.9.2
Constraints
The requirements of the existing legal framework (principles and guidelines) have
to be met. For instance, according to German law all IT system user-dumps must
be encrypted and approved by the works council since the extracts contain personal
data.
3.9.3
Pieces of advice
The identification process and results of existing IT system users have to be made
transparent (for instance by protocols) allowing to re-validate the gathered information later on in the carve-out. This is especially important if an external company is
commissioned to determine the systems users.
Similarly, the assignment of a user to either the subsidiary or selling organization
must be made transparent.
An IT system user clean-up, hence the purging of users and their data access rights,
necessitates in-depth knowledge about the respective authentication and authorization processes. Oftentimes, the processes of the systems differ considerably from each
other, given that they depend, among others, on the age, technology, and IT service
structure of the historically developed IT systems. To speed-up future carve-out
challenges, it is recommended to document the processes in advance while keeping
this information up-to-date.
The time for cleaning up IT system users varies. This explains the strong difference
in costs and expenses per system.
3.9.4
Course of action
1. The IT carve-out team determines existing user identifications (user-IDs) for each
corporate-wide and local IT system.
2. The IT carve-out team determines the affiliation of each user identification to the
selling organization or subsidiary respectively.
38
c TU M

3. The IT system owner determines for each combination of IT system and data object,
whether the subsidiary or seller should not have access to it (excluding approach),
thus determines the to-be access rights. Thereby, the team members base their work
on the criticality of the data classes.
4. The IT system owners carry out a user clean-up by
creating/requesting new user identifications and granting the adjusted to-be
access rights or
creating/requesting new user identifications, adopting the access rights from the
old identifications, and adjusting them according to the to-be access rights.
Both cases require the deactivation or deletion of the old user identifications.
c TU M

39
40
c TU M

4
Conclusion
According to a recent KPMG study, the average transaction costs of a carve-out amounts
to 5% of the sales revenue an organization receives when carving-out parts of it and selling
them to a buyer [Do12]. One possibility to bring down these costs is to enhance the organizational capability which is concerned with the separation of IT elements. Unfortunately,
existing literature coping with a structured and systematic approach to de-merge IT is
rather scarce. To improve this situation, this guide provides clear guidance on what and
how IT elements can be separated and prepared for a subsequent integration.
After having set the stage with a short motivation to the topic, the document outlines a
consolidated body of knowledge, which defines, among others, drivers, types, IT strategies,
and IT elements of carve-outs. In a second step, the guide details on the separation of
specific IT elements on the basis of eight dedicated workstreams. Thereby, each workstream
is structured similarly while being topic-centric and modular. In this sense, workstreams
are perfectly suited to address the needs of different IT carve-out actors. Their practiceproven content extracted from a case study guarantees feasibility and concreteness at the
same time.
Main parts of this guide originate from findings we gained when observing one IT carve-out
in the German automotive industry. Future research in this field should validate our work
by means of additional case studies, preferably from non-automotive sectors and countries
other than Germany. Besides a broader empirical basis, the two remaining IT carve-out
strategies (retention and transition to the buyers IT) have to be paid attention to as
well. Certainly, this can be only achieved if further carve-out cases are analyzed given the
limited number of published results. Future research should also attempt to contextualize
the dimension of IT, i.e., embed the presented workstreams in a broader carve-out setting.
As an example, we refer to Penzel and Pietig who added a one page Merger Navigator
to their book clustering different work packages of a specific merger dimension at a certain
point in time [PP00]. As briefly touched in Section 2.10 of this guide, additional studies
could substantiate the topic of carve-out readiness, i.e., pro-active measures preparing an
organization to separate elements of its business and IT. Furthermore, the aspect of IT
carve-out governance seems promising for us. Perused literature as well as our case study
did not unveil any role schemes, meeting frequencies, and board structures meaningful for
an IT separation project program. Lastly, presented workstream descriptions should be
extended with additional artifacts easing their implementation in the course of a timecritical and demanding transformation period.
We want to express our gratitude to all interview partners for the time spent and the
c TU M

41
open discussion about their personal experiences they made during the carve-out. In
addition, we thank Pawel Kwiecien for his support when compiling this document. With
this guide, we want to encourage academics and practitioners to provide us with feedback
regarding additional literature, case studies, ongoing research projects, as well as personal
experiences.
Contact
Alexander Schneider: alexander.schneider@tum.de

Christopher Schulz: christopher.schulz@tum.de
42
c TU M

5
Glossary
Arms-length-principle Arms-Length-Principle (ALP) is a condition or a fact, which

stipulates particular transaction prices for product delivery, rental- and leasehold
rate or financial transactions in the context of service exchange within corporations,
affiliated companies, or business groups. ALP transactions aim to stand up to legal
scrutiny, even though the involved parties may have shared interests or are too closely
related to be seen as completely independent.
Carve-out IT system form The carve-out IT system form is a structured description
of an IT system allowing to decide for or against the separation the systems data. In
addition to a detailed description of the system, its capabilities, as well as its data,
the form contains the system name, using business departments, and the respective
system owner.
Data room The physical or virtual data room contains a collection of (digital) documents
which the seller makes available to all those organizations which intent to purchase its
subsidiary. Essential purpose is to support the prospective buyers decision making
process. Besides the actual documents, the selling organization has to take charge of
the establishment and maintenance of this content repository.
Decision-tree template A decision-tree template is checklist-style guideline which is allows to classify an IT system as critical or non-critical. An IT system is considered
critical if it will be commonly used by the seller and subsidiary while containing
critical data.
IT carve-out readiness The state of IT carve-out readiness can be achieved by a set
of preliminary and continuous measures aiming to effectively and efficiently separate
elements in case of a carve-out situation.
IT component An IT component consist of software or tightly limited software systems
running separately on a dedicated hardware device. IT-components do not directly
support a business process. Instead they are part of IT system or a platform.
IT service An IT-service is rendered by a service provider to one or more customers.
The service is based on IT and supports the customer business processes. An ITservice consists of a combination of people, processes, and technologies, and should
be described by means of an IT service contract also containing information about
the service quality.
c TU M

43
IT service contract An IT service contract describes a legal and binding contract between provider and customer for recurring services. The goal is to make the control
capabilities transparent for the customer by which guaranteed performance characteristics such as scope, reaction time, and processing speed are described in detail.
An important element is the quality of a service measurably describing the agreed
performance quality. All quality information is kept by so-called Service Level Agreements (SLAs).
IT system An IT system is a well-defined collection of business functions, which enable
effective and efficient implementation of business processes. It consists of IT components and own program logic and addresses different business use cases.
Logical separation Logical separation is defined as the software-technical separation of
an IT system, IT component, infrastructure and networks, as well as data associated
with them. Among others, this is achieved by a copy of the software, introduction of a
multi-tenancy capability, virtual machines, or by setting up a firewall and/or Virtual
Private Networks (VPN) tunnel. Whenever implementing this (partially very timeconsuming) virtual encapsulation, the underlying hardware remains identical.
Need-to-know-principle The need-to-know-principle describes a security objective applicable for legally and/or business critical information. It defines that only this set
of data has to be made accessible to an actor, which is immediately required for the
fulfillment of his/her process steps.
OSI model The Open Systems Interconnection (OSI) reference model is a layered model
from the International Organization for Standardization (ISO) which was developed
as a design basis of communication protocols in computer networks. The tasks of
the communication are divided into seven consecutive layers in which for each layer
a description defines its specific purpose.
Physical separation Physical separation is defined as the hardware-technical separation
of an IT system, IT component, infrastructure and networks, as well as data associated with them. Additional physical-existing technology such as network wires,
switches, and storage devices have to be employed when realizing this type of separation.
UML The Unified Modeling Language (UML) is an standardized object modeling and
specification language to specify, design, and document software components and
other systems. Initially created by the Object Management Group (OMG) in 1997,
its current version 2.1.2 is managed by OMG along with the ISO.
User clean-up A user clean-up is defined as a system-centric adaption of user identifications regarding their data access rights.
44
c TU M

Appendix
Carve-out IT system form

Required measures - Separation of shared IT systems and their data
IT system name:
IT system owner:
Business dept. ([Selling company]):
Business dept. ([Subsidary]):
Planned system separation date:
Separated by IT system:
Description of the system and its funcionality

...
c TU M

45
Separation mechanisms
NDA
Process adaptation
Logical separation
Physical separation
Process outsourcing
Remarks
Separation of the IT system required:
Yes
No
Separation deadline:
2
2
Signature of the technical department

[Selling company]
Name
Date
Signature of the technical department

[Subsidary]
Name
Date
46
c TU M

Specific description of the data

Type of data
Personal
data
Corporate
data
Anti-trust
data
Selling company
Data criticality
Yes
No
Third-party
data
Subsidary
Yes
No
Remarks
c TU M

47
Bibliography
[AA10]
Anselmi, C.; Autry, J.:. Managing the IT Aspects of a Large-scale Divestiture.

2010.
[BESC07] Buchta, D.; Eul, M.; Schulte-Coonenberg, H.:. Strategic IT Management: Increase value, control performance, reduce costs. In Strategic IT Management:
Increase value, control performance, reduce costs. pages 6281. Gabler Verlag.
Wiesbaden, Germany. 2nd edition. 2007.
[Bo10]
Boehm, M. et al.:. IT challenges in M&A transactions - the IT carve-out view on

divestments. In International Conference on Information Systems (ICIS2010).
St. Louis, MO, USA. 2010.
[Bo11]
Boehm, M. et al.:. A dual view on IT challenges in corporate divestments

and acquisitions. In 32nd International Conference on Information Systems
(ICIS2011). Shanghai, China. 2011.
[BS06]
Broyd, R.; Storch, B.:. Carve to measure. In (Wirtz, B. W., Ed.): Handbuch Mergers & Acquisitions Management. pages 12231237. Gabler Verlag.
Wiesbaden, Germany. 2006.
[Ca03]
Cascorbi, A.:. Demerger-Management: Wertorientierte Desintegration von Unternehmen. Deutscher Universitatsverlag. 1st edition. 2003. 978-3824479450.
[Co68]
Conway, M. E.:. How do committees invent. Datamation. 14(5):2831. 1968.
[De10]
Deloitte:. Divestiture M&A News - Q1 2010 Divestiture Activity Reflect

Strengthening of overall Economy. 2010.
[Do12]
Domke, B.:. Was ist ein Carve-out? Harvard Business manager. page 17. 2012.
[DW08]
Domer, F.; Witt, H.:. Mastering IT separation - A methodology for carveouts and de-mergers. Technical report. Arthur D. Little. Frankfurt am Main,
Germany. 2008.
[Fa09]
Faehling, J. et al.:. Managing an IT carve-out at a multi-national enterprise Teaching case description. In 17th European Conference on Information Systems
(ECIS2009). 2009.
48
c TU M

[Fa11]
Faehling, J. et al.:. Managing the IT carve-out in a SBU divestment. In 18th

European Conference on Information Systems (ECIS2011). Roskilde, Denmark.
2011.
[La09]
Laszlo, M.:. Fusionen setzen die IT unter Druck. http://www.computerwoche.

de/management/it-strategie/1907945/ (cited 2012-06-14). 2009.
[Le08]
Leimeister, S. et al.:. Exploring Success Factors for IT Carve Out Projects. In

Proceedings of the XVIth European Conference on Information Systems (ECIS).
Galway, Ireland. 2008.
[MS95]
Michaely, R.; Shaw, W. H.:. The Choice of Going Public: Spin-offs vs. Carveouts. The Journal of the Financial Management Association. 24(3):521. 1995.
[OG07]
OGC:. ITIL V3 Glossary. Technical report. Office of Government Commerce.

London, United Kingdom. 2007.
[PP00]
Penzel, H.-G.; Pietig, C.:. MergerGuide. Gabler Verlag. 2000. 3409117326.
[Sc11]
Schulz, C.:. Handlungsempfehlungen und Lessons Learned f

ur Fahrzeugkooperationsprojekte am Beispiel des Transformationsprojekts New Sync BoM. 2011.
[Sm08]
Smith, M. et al.:. IT Spending and Staffing Report. Technical report. Gartner.

2008.
[TM11]
Treccapelli, A.;
Murad, Y.:.
How technology can make or
break
a
carve-out.
http://www.computerweekly.com/opinion/
How-technology-can-make-or-break-a-carve-out
(cited
2012-06-14).
2011.
[Wi12]
Wikipedia:. Arms length principle. http://en.wikipedia.org/wiki/Arms_

length_principle (cited 2012-05-21). 2012.
c TU M

49
50
c TU M


IT Carve-Out Guide

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

IT Carve-Out Guide

Hochgeladen von

Copyright:

Verfügbare Formate

TUM

TECHNISCHE UNIVERSITT MNCHEN

Florian Matthes, Alexander W. Schneider,

Software Engineering for Business Information Systems (sebis)

A carve-out can be understood as the separation of one organization into two

Undoubtedly, Information Technology (IT) represents one crucial pillar of a present-day

Guide sources and compilation approach

According to Broyd and Storch [BS06], a carve-out

can be defined as follows:

Figure 2.1:& technischer

During the PreSigning phaseBereitstellung

Joint venture carve-out

Fusion of two equipollent

Table 2.1: Types of carve-outs (inspired by [Le08])

Business, legal, and technical integration

IT departments of seller, subsidiary, and buyer provide IT-services

Figure 2.2: Core activities of a merger and joint-venture carve-out

Business, legal, and technical carve-out

Business, legal, and technical integration

IT departments of seller, subsidiary, and buyer provide IT-services

Figure 2.3: IT as one dimension of a carve-out

Figure 2.4: IT strategies for carve-out and subsequent integration

Transition Data extraction

New-build Data extraction

Business & IT staff training IT adjustements

Retention Data access separation

Table 2.2: Types of carve-outs (inspired by [Le08])

Cross-organizational projects are Business

Figure 2.5: Ideal model of cooperation between business, legal, and IT

or changes to existing software, multi-tenancy capabilities can be emphasized. In addition,

IT infrastructure and networks

Figure 2.6: IT elements affected by a carve-out

Critical if classified as being critical by at least one of the participants due to

Critical if data has to be treated confidentialy in regards of a third party (e.g.,

Table 2.3: Example for a data classification scheme

Figure 3.1: Ideal carve-out workstreams timeline

Organizational part of a company or public

Service contracts and projects

Member of the IT department of either the Corporate-wide systems

A person who manages a set of IT systems Corporate-wide systems

An individual who acts as the main contact

Service contracts and projects

Table 3.1: Main carve-out actors and their fields of activity

Early involvement of IT and business departments already during the PreSigning

Organization and carve-out team

Assist the procurement departments with the jurdical

Service contracts and projects

Design and structure IT service contracts (in particular if

Develop a data classification scheme allowing to determine

cf. corporate-wide IT systems

Infrastructure and network

Devise, negotiate, and agree upon temporary network and

System access rights

Validate user access rights for each IT system - data object

Table 3.2: Tasks of the legal departments

Organization and carve-out team

Establishing a clear organizational IT structure very early in the carve-out is vital

1. All participating organizations appoint internal experienced professionals to be part

Although software licenses, especially at the beginning of a carve-out, seem to have a

Service contracts and projects

The negotiation of IT service contracts between selling organization and subsidiary

The grouping of IT system development and maintenance contracts avoids additional

The main objective of this workstream is to develop a compulsory IT security framework